FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB on MCIMX7SABRE

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB on MCIMX7SABRE

‎09-28-2016 01:31 AM
1,911 Views
basvermeulen
Contributor I

I am trying to enable High Assurance Boot on the i.MX7 Sabre board.

The things I have already found and/or tried:

  • I have found and read the i.MX 6 Linux High Assurance Boot (HAB) User's Guide (which helps a lot with creating keys)
  • The cst-2.3.2 utility to create the keys.
  • I have modified the configuration of u-boot to add CONFIG_SECURE_BOOT in include/configs/mx7dsabresd.h; this compiles in HAB support for mx7 (arch/arm/cpu/armv7/mx7/hab.c).

The procedure to burn the chip fuses seems to have changed for either i.MX7 Sabre, or for kernel version 4.1.15 vs 3.0.35.

My questions:

  1. What is the procedure to burn fuses on the i.MX7 with kernel 4.1.15? A pointer to documentation or an application note would be great.
  2. Is the static HAB data allocation method still supported for i.MX7?
  3. Is there a Yocto recipe to do this automatically?

Any help would be much appreciated,

Bas Vermeulen

Labels (3)
Labels
0 Kudos
Reply
5 Replies

‎10-05-2016 03:58 AM
1,120 Views
igorpadykov
NXP Employee
NXP Employee

you need only use fuses which present in i.MX7, if these are not present so

they are not used.

OTPMK programming only required for i.MX6 preproduction parts where

the fuses that are normally programmed by Freescale are not programmed.

On production parts, the OTPMK are be burned by Freescale prior to shipping the device.

Please create service request so additional info could be provided to you.

Best regards
igor

0 Kudos
Reply

‎10-04-2016 10:25 PM
1,120 Views
basvermeulen
Contributor I

I'm aware of several documents regarding Secure Boot. I have read and followed the i.MX 6 Linux High Assurance Boot (HAB) User's Guide from L3.0.35_1.1.0_docs.tar.gz (I can't find the download link for that any more atm).

The procedure to burn the fuses in that document (using the OTP interface in linux) is different from the one I have available in the 4.1.15 kernel supplied by the i.MX7 SabreSD BSP.

0 Kudos
Reply

‎10-04-2016 11:45 PM
1,120 Views
igorpadykov
NXP Employee
NXP Employee

for sys/fsl_otp one can look at

How to access the i.MX6 unique ID/serial number in Linux 

https://community.nxp.com/thread/429484 

though for i.MX6, it should work for i.MX7 too.

0 Kudos
Reply

‎10-05-2016 02:29 AM
1,120 Views
basvermeulen
Contributor I

The otp registers are different between i.MX6 and i.MX7 (no HW_OCOTP_CFG5 for instance, and HW_OCOTP_BOOT_CFG0..4 instead of HW_OCOTP_CFG?).

I understand the general procedure, I know WHAT I have to do, but am missing the specific steps to do them with.

- Will i.MX7 work with the OTPMK1..7 values from i.MX6, or does it need other values?

- What register should I use to set the boot to secure (HW_OCOTP_CFG5 is no longer there)?

Regards,

Bas Vermeulen

0 Kudos
Reply

‎09-29-2016 05:24 PM
1,120 Views
igorpadykov
NXP Employee
NXP Employee

Hi Bas 

I am not aware of special i.MX7 docs, seems UL guidelines may be applicable

Signed and encrypted boot in i.MX6UL 

for programming fuses uboot may be used

Q&A: How to program i.MX6 eFUSE? | NXP Community 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply